FMC Syslog with Graylog Extractor

Feb 5, 2019 cisco FMC graylog Network Security Syslog
Share on:

Let's continue to talk about the Cisco Firepower Management Center, in this post we are going to look at sending connection events over to syslog. In this example I'm using Graylog which is an open source logging platform and  although any syslog server would work, one of the problems with syslogs is there is little uniformity when you have different systems sending these logs. One of the things that Graylog can to do is extract the raw message and put each part of message into a separate searchable field. We'll configure the FMC to send syslogs and then configure an extractor on Graylog.

So we have the FMC and Graylog in our environment setup. We'll want to first configure the FMC and add a syslog server. We can do this two ways, one way is we can go to into Policy tab-> Actions->Alerts->Create Alert (Down Arrow)->Create Syslog Alert.

You could also go into an access control policy and select log (::inline) icon either in the default action or on a rule you would like to log. Another window will show and select the green plus icon and add the syslog server that way.

Once that is out-of-the-way we can now go into Graylog and configure an extractor on the syslog input. This is located under System->Inputs then under the syslog input select manage extractor. On the actions tab select import extractor and paste this JSON followed by selecting the Add extractors to input at the bottom of the page.

 1{
 2  "extractors": [
 3    {
 4      "title": "FMC – Default Fields",
 5      "extractor_type": "grok",
 6      "converters": [],
 7      "order": 15,
 8      "cursor_strategy": "copy",
 9      "source_field": "message",
10      "target_field": "",
11      "extractor_config": {
12        "grok_pattern": "%{WORD:field}: Protocol: %{WORD:protocol}, SrcIP: %{IP:Source_IP}, OriginalClientIP: ::, DstIP: %{IP:Destination_IP}, SrcPort: %{INT:src_port}, DstPort: %{INT:dest_port}, TCPFlags: %{WORD:flags}, IngressZone: %{HOSTNAME:ingress_zone}, EgressZone: %{HOSTNAME:egress_zone}, DE: %{DATA:detect_engine}, Policy: %{DATA:policy}, ConnectType: %{WORD:connectType}, AccessControlRuleName: %{DATA:ACLRuleName}, AccessControlRuleAction: %{DATA:ACLRuleAction},",
13        "named_captures_only": true
14      },
15      "condition_type": "regex",
16      "condition_value": "( SFIMS:)"
17    }
18  ],
19  "version": "2.4.6"
20}

I have noticed that it might take some time for Graylog to extract the messages as well as it seems there is a delay in the Cisco FMC when sending syslogs but If everything is configured correctly you should start to see logs coming into Graylog. I normally use this for researching firewall rules as its easier to run a search in Graylog then it is on the FMC. Here is what the raw message looks like:

1_DMZ-FW02 SFIMS: Protocol: TCP, SrcIP: 172.25.45.55, OriginalClientIP: ::, DstIP: 172.25.30.82, SrcPort: 58996, DstPort: 1433, TCPFlags: 0x0, IngressZone: LOC-DMZ, EgressZone: LOC-INSIDE, DE: Primary Detection Engine (d4d9f400-c6d2-4065-9f90-da61a963b980), Policy: Acme DMZ ACP, ConnectType: Start, AccessControlRuleName: WEBSRVS->SQLSRVS->TCP1443, AccessControlRuleAction: Allow, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 66, NAPPolicy: Acme DMZ NAP, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown_

Here is what Graylog would be able to extract from that message with our extractor:

 1ACLRuleAction
 2Allow
 3ACLRuleName
 4WEBSRVS->SQLSRVS->TCP1443
 5Destination_IP
 6172.25.30.82
 7Source_IP
 8172.25.45.55
 9connectType
10Start
11dest_port
121433
13detect_engine
14Primary Detection Engine (d4d9f400-c6d2-4065-9f90-da61a963b980)
15egress_zone
16LOC-INSIDE
17field
18SFIMS
19flags
200x0
21ingress_zone
22LOC-DMZ
23policy
24Acme DMZ ACP
25protocol
26TCP
27src_port
2858996

With this grok pattern that we created with Graylog we are able to search these fields like Source IP and Destination IP and even the ACLRule name. gl-aclrulename

This makes it much easier to search these results as well as put this type of data into dashboards or reports. Like always I hope this information is helpful you can find more information about Graylog by hitting their site and try it out for yourself. :)